Vulnerability Development mailing list archives
Re: Protecting Java Class Files...
From: Lincoln Yeoh <lyeoh () POP JARING MY>
Date: Fri, 29 Sep 2000 15:28:40 +0800
At 09:21 AM 28-09-2000 +0100, SMILER wrote:
My customers are running some online games that gives points to the pplayers if they win, and the points can be exchanged by prices later on. What I pretented to do is to protect their java class files as they canĀ“t be easily decompiled, and I am sure there must be some ways to do this. Any suggestions ? Smiler.
It doesn't sound easy to do. I'm wondering why you are sure there are ways to do it ;). My normal assumption is the client has full control over whatever they can download and run. So if there are any secrets in your programs they will eventually be found. At the moment I don't think you can stop people from decompiling your stuff if you want to allow them to run it on their own machines. I suggest setting things up so that decompilation of your client isn't an issue. 1) Move as much as you can server side. The server should be under your control. And game reality should be under the server's control. The clients can only _suggest_ to the server what to do, the server decides whether it's possible. The clients must NEVER be able to define reality. They can only suggest changes to the reality but not define it. If the clients can define reality, it is likely that they can cheat. For example if the points are stored in the client side, then they can cheat (unless the server digitally signs the scores/points/scorecard - but you better think the implementation through thoroughly!). If the program running at client side decides whether the user wins, then they can cheat. But if the server decides who wins and keeps track of the points then it's harder to cheat. A harder issue: for many online games the clients know what everyone else in a game is doing, even if players aren't supposed to know. Because for some games (3d) it is too difficult for the server to know when not to tell the clients certain things. So you get things like players being able to see through walls and so on. However for card games you can prevent that from happening and you better do it! 2) Identify players uniquely - then it's easier to tell who is cheating. e.g. a hard to guess session cookie is sent with each request and verified by the server for validity. This can be quite resource intensive. If possible you should increase the cost of creating accounts - either in time or money - so that you don't get mischief makers creating tons of throwaway accounts. 3) Dealing with mischief makers. You should be able to blacklist/ban players if they abuse the system. Preferably automatically. So they get ignored if they try to make 1000 connections to your servers or do other silly stuff. Sometimes people react badly if they lose. And sometimes people just want to cause trouble. There are many other things to think of and do. I'm sure other people have good suggestions. Take a look at them and spend a few days to think of other things based on what you learn. Cheerio, Link.
Current thread:
- Protecting Java Class Files... SMILER (Sep 28)
- Re: Protecting Java Class Files... Lincoln Yeoh (Sep 29)
- Re: Protecting Java Class Files... Bluefish (P.Magnusson) (Sep 29)
- <Possible follow-ups>
- Re: Protecting Java Class Files... Mick Chang (Sep 30)